FSSO redundancy operates on an active-passive principle: the FortiGate connects to the first FSSO CA in the list that responds. If the primary CA becomes unresponsive, the FortiGate switches to the secondary CA and remains connected to it until the secondary CA also becomes unresponsive. At that point, the FortiGate will attempt to reconnect to the primary CA if it becomes available again.

In case there is an issue on the Active Directory (AD) side where one of the CA is installed, due to the limitation of defining only one LDAP server in advanced mode, the Collector Agent is expected to stop capturing logon events. However, since the service on this CA continues to run, the CA failover will not occur, and it is expected that FSSO will stop functioning.

To overcome this limitation and create a redundant environment, using the Fully Qualified Domain Name (FQDN) configured on the AD server can be considered. If the FQDN resolves to multiple IP addresses, the Collector Agent will attempt to connect to other Domain Controllers (DCs) associated with those IPs.

Note:

This solution is applicable only if the AD servers are configured using FQDN. 

If the AD server is only reachable by IP address, this issue must be addressed through a New Feature Request (NFR).

New Feature Requests should be coordinated with the Systems Engineer (SE) responsible for the territory.